Secure quantum key distribution with an uncharacterized source 
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We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol for 
an arbitrary source whose averaged states are basis-independent, a condition that is automatically 
satisfied if the source is suitably designed. The proof is based on the observation that, to an 
adversary, the key extraction process is equivalent to a measurement in the o^-basis performed on 
a pure <r z -basis eigenstate. The dependence of the achievable key length on the bit error rate is the 
same as that established by Shor and Preskill for a perfect source, indicating that the defects in the 
source are efficiently detected by the protocol. 



PACS numbers: 03.67.Dd 



Quantum key distribution is an ingenious application 
of quantum mechanics, in which two remote parties (Al- 
ice and Bob) establish a shared secret key through the 
transmission of quantum signals. In the BB84 protocol 
jjj, Alice sends a key bit to Bob by preparing a qubit 
in one of two conjugate bases and Bob measures the 
qubit in one of the two bases; the eavesdropper Eve, who 
does not know the basis chosen by Alice or by Bob, can- 
not collect information about the key without producing 
a detectable disturbance. This protocol, when suitably 
augmented by classical error correction and privacy am- 
plification, is provably secure against any attack by Eve 
allowed by the laws of quantum physics . 

Though security can be proven without imposing any 
restriction on Eve's attack (other than the requirement 
that she has no a priori information about the basis 
used), it is necessary to place conditions on the perfor- 
mance of the source and detector employed in the pro- 
tocol. In the Shor-Preskill proof ||, it is assumed that 
any flaws in the source and detector can be absorbed into 
Eve's basis-independent attack. The proof by Mayers 0, 
however, applies to a more general setting: although the 
source is perfect, the detector has never been tested and 
is completely uncharacterized. Indeed, the detector could 
be under the control of Eve's collaborator Fred. Fred is 
unable to send messages to Eve, but he knows Bob's ba- 
sis and can adjust the measurement performed by the 
detector accordingly. Still, as Mayers showed, Fred can- 
not fool Alice and Bob into accepting a key that Eve 
knows, as long as the efficiency of the detector is basis 
independent. Since a real device could have an indefinite 
number of degrees of freedom, no test can fully char- 
acterize it; therefore proving security in the case of an 
uncharacterized apparatus provides comfort to a highly 
suspicious user of the key distribution scheme. 

In this Letter, we present a simple proof of the security 
of the BB84 protocol that applies to a setting opposite 
to that considered by Mayers: the detector is perfect and 
Fred controls the source. We will, however, place one im- 
portant restriction on Fred's attack — the source must 



not leak any information to Eve about the basis chosen 
by Alice. That is, the state emitted by the source, av- 
eraged over the values of Alice's key bit, is required to 
be independent of Alice's basis. Our proof applies to 
faulty sources that are notably more general than those 
encompassed by the Shor-Preskill proof; to give just one 
example, it applies to a source that performs perfectly 
when Alice chooses the <r x -basis but that rotates the 
qubit when Alice chooses the a z -basis. Nevertheless, our 
proof shows that secure key can be extracted from sifted 
key at the same rate established by Shor and Preskill. 

Our proof combines insights gleaned from both the 
Mayers proof and the Shor-Preskill proof. Following 
Mayers, we analyze the information about (Bob's) key 
collected by Eve in the case where Alice and Bob are 
using different bases. Following Shor and Preskill, we 
bound Eve's information by observing that Bob could 
have performed error correction to remove any entangle- 
ment with Eve's probe before executing the measurement 
that extracts his final key. The core of our proof is the 
observation that a single quantum circuit computes Bob's 
final key in the & x -basis and reverses the damage inflicted 
by Eve if the error rate is small in the <r 2 -basis. Using 
the same method, we can also prove security for the case 
of an uncharacterized detector, allowing a more general 
source and establishing a higher rate of key generation 
than in the proof by Mayers. 

Before proceeding to the proof, let us specify in more 
detail our models of the source and detector. Alice pre- 
pares a physical system with Hilbert space Ha, which 
has an arbitrary size, in one of four states p(a,g) with 



probability p a ,, 



0, 1 labels Alice's basis choice and 



g = 0, 1 is the value of her key bit. The choice of a is 
assumed to be completely random: p a ,o+Pa,i — 1/2- We 
assume that the states satisfy 



Po,o ,5(0,0) +po,x /5(0,1) =pi, /3(l,0)+pi,i ,3(1,1), 



(1) 



which is vital in the security proof. A convenient way 
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to prepare such an ensemble is to introduce an auxiliary 
system A' with Hilbert space Ha 1 - Alice first prepares 
T~La <8 Ha' in & n entangled state paa' , and then performs 
a measurement M a on system A' alone. The measure- 
ment M a gives a binary outcome, determining g. Eq. (Q) 
is then satisfied because the choice of the measurement, 
Mo or Mi, does not affect the marginal state of Ha- 
Hence, if the source is realized in this way, there is no 
need to carry out tests to characterize its performance. 

As noted in g], if A' is a qubit, M is a measurement of 
a z , and Mi is a measurement of a x , then security can be 
established by the method of Shor and Preskill. But our 
security proof invokes only the condition ([!]) ; no further 
properties of paa>, M , or Mi need be specified. 

At the end of the transmission channel Ha —> Hb , Bob 
switches between two measurements on Hb- We assume 
that the two measurements are modeled by a common 
quantum channel Hb — *■ H2, where dim 7^2 = 2, followed 
by the measurement of the Pauli operator a z or & x . In the 
security proof, we include the common quantum channel 
in the transmission channel between Alice and Bob, so 
that Bob receives a qubit at the end of the channel. 

The protocol that we shall prove to be secure is the 
following: Let il = {1, . . . , 4N(1 + e)}. The variable de- 
noted by a takes the value opposite to a. 

Protocol 1 (BB84) — (1) Alice creates random bit se- 
quences {ai} and {gi} for i € Q. Alice randomly chooses 
a subset R C Vt with size \R\ = 2N(1 + e). (2) Bob 
creates a random bit sequence {hi}. (3) When i e R, 
Alice sends p(a,i,gi). When i £ R(= ft — R), Alice sends 
pifli,gi). (4) Bob measures a z when bi = 0, and measures 
a x when bi = 1. For either case, he sets bit hi according 
to the outcome (hi = for outcome 1 and hi = 1 for 
outcome —1). (5) Bob announces {bi}. Alice announces 
{di} and R. If the size of T = {i 6 R\at = bi} is less 
than N, the protocol aborts. Bob decides randomly on a 
subset S C {i £ R\a.i = bi} with |S| = iV and announces 
(if he cannot do this, the protocol aborts). (6) Alice and 
Bob compare gi and hi for i eT and determine the error 
rate 8. If 6 is too large, the protocol aborts. (7) Bob 
randomizes the positions of the N qubits in S by a per- 
mutation 7r and announces n. Bob announces a linear 
code C with |C| = 2 r that corrects N(5 + e) errors occur- 
ring in random positions with probability exponentially 
close to unity. (8) The sifted key K s if of length N is de- 
fined as the sequence {hi}i^s- The final key is the coset 
K s jf + C . (9) Alice obtains k, s h by applying an error 
correction scheme to {gi}i£S via encrypted communica- 
tion with Bob, consuming r bits of the previously shared 
secret key. Then Alice obtains the final key. 

Protocol 1 is the standard BB84 protocol, except for 
the use of Hi in place of ai in steps (3) and (5), which 
we have adopted for later convenience in the proof. The 
random permutation 7r in step (7) is redundant, since it 
suffices to choose the code C randomly instead of doing 
the permutation. In the limit of large TV, the achiev- 
able r/N reaches 1 — h(8) (where h(8) — — 8 log 2 8 — (1 — 
<5)log 2 (l — 8) is the binary entropy function), and t/N 



in step (9) approaches h(8), resulting in the rate of key 
generation 1 — 2h(8). 

Our proof uses some basic properties of (classical) 
error-correcting codes. The linear code C appearing in 
step (7) is an r-dimensional subspace of the binary vec- 
tor space F^. The code C ± appearing in step (8) is the 
orthogonal complement of C, called the dual of C. We 
can specify a linear coding function G : F 2 — > F^ , which 
assigns a distinct codeword of C to each binary sequence 
of length r. We have assumed in the protocol that C cor- 
rects N (8 + e) errors occurring in random positions with 
probability exponentially close to unity. More specifi- 
cally, there exists a set of correctable errors £ C F^ and 
a decoding function / : F^ — > F 2 , satisfying 

f(G(y)+x)=y (2) 

for any y S F 2 and any x € £. A random error with 
weight at most N(8 + e) belongs to £ with probability 
exponentially close to unity. The function / is not nec- 
essarily linear and may be hard to compute, but we will 
need only its existence for the proof of security — Bob 
does not compute / in the actual protocol. 

What Bob actually calculates is the coset K s if 
in step (8). One way to do this is to use the function 
G T : F2 — * F 2 , which is the adjoint (matrix transpose) 
of G satisfying G T (x) ■ y = x ■ G(y) (mod 2) for any 
x £ F2 and y e W 2 . Since the kernel of G T (x) is C x , 
the final key is the r-bit sequence G T (« s if). The duality 
between G and G T will play an important role in the 
security proof below. 

In order to prove that protocol 1 is secure, we need to 
show that Eve's maximum knowledge I\ about the final 
key is negligible. Note that Bob's final key is determined 
at step (8); step (9), which assures that Alice's key agrees 
with Bob's and leaks no information to Eve, is not rele- 
vant to I\. Let us compare Protocol 1 with a modified 
one: 

Protocol 2 — (3)' When i £ R, Alice sends p(cn,gi). 
When i € R, Alice also sends p(ai,gi). The other steps 
are the same as Protocol 1. 

This modification follows Mayers 's argument Q except 
for the exchanged roles of the sender and the receiver. 
The only difference between protocols 1 and 2 is a flip 
in Alice's basis for i E R. But the bits {gi} for i e R 
are kept secret by Alice. Hence, for Eve and Bob only 
the state averaged over {gi} is relevant, and this state is 
identical for the two protocols by the condition Eq. (jl]). 
Therefore, Eve's maximum knowledge / 2 about Bob's fi- 
nal key in Protocol 2 is the same as I\ . 

Next, let us further modify Protocol 2 in favor of Eve, 
by allowing Eve to control Alice's source. Now Eve knows 
{ai} and {17^} and is free to prepare the states measured 
by Bob however she pleases. Since the states p(ai,gi) 
have been removed from the protocol and Bob's mea- 
surements are symmetric in bi, the protocol is completely 
symmetric in {ai} and {gi}. Therefore we may assume 
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a i = 9i — without loss of generality. The resulting 
protocol is as follows: 

Protocol 3 — (1) Alice randomly chooses a subset 
R C fl with size \R\ = 2N(1 + e). (2) Bob creates a 
random bit sequence {bi}. (3) Eve prepares Bob's qubits 
and her ancilla system in a state. (4) Bob measures a z 
when bi — 0, and measures a x when bi — 1. For either 
case, he sets the bit hi according to the outcome. (5) 
Bob announces {bi}. Alice announces R. If the size of 
T = {i E R\bi = 0} is less than N, the protocol aborts. 
Bob decides randomly on a subset S C {i € R\bi = 1} 
with \S\ — N and announces (if he cannot do this, the 
protocol aborts). (6) Bob counts the number n of bits 
with hi = 1 for i 6 T and determines the error rate 
6 = n/\T\. If 6 is too large, the protocol aborts. (7) 
Bob randomizes the positions of the ./V qubits in S by a 
permutation ir and announces 7T. Bob announces a linear 
code C. (8) The sifted key K s a of length N is defined as 
{hi}i£s- The final key is the coset K s a + C . 

Since the modifications in the protocol favor Eve, Eve's 
maximum knowledge 1$ about the final key in Protocol 
3 is no less than I 2 : thus I\ = 1% < I3. To complete 
the proof, we will show that I3 is small — Eve cannot 
predict Bob's key accurately because Bob is measuring 
in the "wrong" basis. 

Let us denote the Hilbert space of Eve's system as He 
and that of the N qubits belonging to S as Hs- We may 
imagine that Bob's measurement on set S is delayed un- 
til step (8), and denote by p the state over Hs <8 He 
after the verification test on the set T is done, but before 
the qubits in S are measured. The test on T finds that 
the rate of error (Jr z = —1) over N (or more) randomly 
chosen qubits is 5. If the qubits in the set S were also 
measured in the cr 2 -basis, then the joint probability of 
finding an error rate less than 5 in T and finding more 
than N{5 + e) errors in S would be asymptotically less 
than exp[— e 2 N/A(5 — S 2 )] for any strategy by Eve. Ignor- 
ing any inefficient strategy that has only an exponentially 
small probability of giving an error rate less than S in T, 
we conclude that for the state p, the probability of finding 
more than N(S + e) errors in S is exponentially small. 

Let {\v)z,v G F^} denote the "Z-basis" of Hs, where 
the value of the j-th bit of v corresponds to the eigen- 
value of <x z on the j-th qubit, and let {\v)x = H N \v)z} 
denote the "X-basis," where H N is the Hadamard trans- 
formation acting on the N qubits. The announcement of 
7r in step (7) can be described as the transmission from 
Bob to Eve of a particle J in one of AH orthogonal states 
{|7r)j}. The symmetrized state held by Bob and Eve after 
transmission of the particle is 



Ps - (TV!)- 1 K>j<7r| ® {U, ® U)pipl ® li 



(3) 



Let p£ be the projection of Hs onto the subspace 
spanned by the states \e)z such that e € £ ■ The suc- 
cessful verification test ensures that the probability of 
finding an error pattern that is not in £ is exponentially 



small: Tr[(Pf £g> 1e)Ps] > 1 — 77, where 77 is an exponen- 
tially small number. (We are now regarding the particle 
J as part of Eve's system E.) If we define p' as 



= {P£®iE)p s (p£® 1e) 
9 ~ Tr[(P £ ® i E )p s ] : 

its fidelity § to p s , F{p',p s ) = [Tr( A 
given by 



(4) 



F(p',p s ) = Tr[(P £ O i B )Aj >l~V- 



(5) 



In what follows, we will show that if the state p' instead 
of p s were used, Eve would have no information about 
the final key (^3 = 0). Then we will infer that any actual 
strategy by Eve (that passes the verification test with 
a probability that is not exponentially small) gives her 
exponentially small information. 

In Protocol 3, Bob measures in the Z-basis for the veri- 
fication test, and in the X-basis to generate the key — we 
need to show that if the error rate is low in the Z-basis, 
then the key is random and private. Our proof invokes 
a quantum circuit that outputs the same r-bit final key 
as Bob finds in Protocol 3, and that also expunges Eve's 
entanglement with the key bits. Though Bob might not 
have actually executed this circuit, it would be all the 
same to Eve if he had, which is sufficient to ensure pri- 
vacy. 

The circuit, shown in Fig. 1, uses an auxiliary system 
Q of r qubits initially prepared in the state |0)x, and is a 
composition U = U2U1 of two unitary operators U± and 
U-2- The operator Ui, which calculates the final key, acts 
in the A-basis as 



Ui : \x)x 



x 



\x) x ®\y + G T (x)) 



(6) 



Using the duality between G and G T , we easily see that 
U\ acts in the Z-basis as 



Ui ■ \x)z <8> \y)z -* \x + G{y)) z ® \y)i 



(7) 



The operator C/2 is defined in the Z-basis as 

Ui:\x)z®\v)z^>\x)z<8>\v + f(x))z, (8) 
and in the X-basis acts as 

&2:\x) x ®\v)x->\*x,v)x®\v)x. (9) 

Here l^.y) is a rather complicated state of Hs, but its 
exact form is not relevant here. 



(a) 



(b) 

s ; 



M±] 

Ui 



1+ 

Ui 



x + G(y) 



l±J 
U2 



FIG. 1. (a) A quantum circuit calculating Kg n = G T (K s if) in the X-bas 
the final state of system Q is \Q)z- 
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If the initial state of the ancilla Q is |0)x, then from 
Eqs. @ and (||) we have 



U{\K sil )x ® |0); 



I*, 



)x 



\G T ( Ksif )) 



x i 



(10) 



the final key ftfi n = G T (K S if) is obtained by measuring 
the system Q in the Jf -basis after execution of the circuit. 
On the other hand, Eqs. (fjj) and (||) with \0}x oc \u)z 
lead to 



x 



U{\x) z ®\0)x) 



f(x + G(y))) z ; 



if the initial state \x)z satisfies x € £, the final state of Q 
is \0)z, due to Eq. (g). Then, Eq. ^ ensures that if the 
initial state of Hs <8> He is p' , the final marginal state of 
Q is still \0)z- Therefore, the final state /5q of Q obtained 
when we start from the actual state p s is exponentially 
close to \0)z- 



z(0\p Q \0)z>F(p', Ps ) > 1 — 77. 



Eq. ( |l2| ) establishes that the final key can be obtained 
from a complete A-basis measurement on the state P q, 
whose fidelity to the Z-basis eigenstate \0)z is exponen- 
tially close to unity. From this, we conclude the fol- 
lowing: (a) The mutual information 23 between the fi- 
nal key and Eve, who may conduct any measurement 
on her system, is upper-bounded by the von Neumann 
entropy S( P q) [gj. Since P q has an eigenvalue greater 
than or equal to 1 — T), we have I\ < I 3 < S( P q) < 
h{ri) + ?7log 2 (2 r - 1) < h(r]) + rrj. (b) The probabil- 
ity distribution p y over the 2 r final keys is very close to 
uniform. In fact, the fidelity to the uniform distribu- 
tion cannot be lower than the fidelity in Eq. (Q). Thus 
we have 2~ r Cl2 y ^/Py) 2 — 1 — V- Using the inequality 
-2 log 2 x < r(l - x) 2 + (1 - x 2 )/(log e 2) which holds for 
x > 2~ r l 2 when r is large, the Shannon entropy of {p y } 
is bounded as H({p y }) = r + 2j2 y P y ^og 2 (2 r p y y 1/2 > 
r(2VT"^/ - 1) > r(l - 277). 

The two imperfections of the final key derived in (a) 
and (b) can be combined into a single parameter by the 
following argument. Let us assume that Bob randomly 
chooses and announces a bit sequence w € F 7 2 , and pro- 
duces a new key w + y which is truly uniformly dis- 
tributed. If Eve's information about y is Ji, then her 
information about w + y is 



Our proof of security applies to an uncharacterized 
source with basis-independent averaged states. By in- 
terchanging the roles of sender and receiver, the same 
proof can be applied to the case of an uncharacterized 
detector, considered by Mayers (2|. Indeed, in that case 
our proof allows a more general source (one triggered by 
a perfect measurement on half of an entangled state, as 
opposed to a perfect source) and a higher rate of key 
generation (1 — 2h{8) rather than 1 — h(S) — h(2S)) than 
established by Mayers. In either case, by exploiting the 
duality between the operation that encodes a message 
(11) using C and the operation that computes a C 1 - coset, 
our proof illuminates the connection between a low error 
rate and successful privacy amplification. 

It is also interesting to consider characterized imperfect 
sources and detectors that have limited basis-dependent 
flaws. One important case of a characterized defective 
source, recently analyzed in || , is a source that occasion- 
ally emits two identical copies of a qubit, one of which 
can be intercepted by Eve. In this case, our proof does 
not apply because Eq. (|l|) is not satisfied. Security cri- 
teria for characterized sources and detectors are further 
discussed in lipf . 
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(12) 



r - H({p v }) +h< 3rrj + h{rf), 



(13) 



which is also exponentially small, concluding the proof. 

Finally, suppose that Bob uses a detector with imper- 
fect efficiency, which has a "null" outcome (signifying 
a detection failure) in addition to the valid binary out- 
come. Our proof remains valid, provided that the effi- 
ciency (probability of obtaining a valid outcome) is the 
same for the two bases, and the size of f2 is increased 
appropriately. 
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